Help file: Be careful with security certificate warnings
Sunday, July 11, 2010

Q: When I tried to connect to a secure site, my browser displayed an error warning that "there is a problem with this site's security certificate" that strongly advised me to back out. Was it not safe?

A: This reader ran into an "SSL mismatch "-- when a site's security certificate doesn't line up with the address you just used.

For example, last year the government's dtv2009.gov site would generate this error if visitors typed in "dtv2009.gov" instead of "www.dtv2009.gov." Officials running the site fixed the problem after getting grilled on it in a Senate hearing, but the problem persists among numerous commercial sites today.

In older browsers, this problem would only yield a technically phrased dialog that could be easily dismissed. But as the problem of "phishing" attacks impersonating known sites has increased, the warnings have gotten scarier. Browsers will now block access to the entire page and strongly suggest that you reverse course.

So what to do? You shouldn't assume that the site in question is legitimate. First check how closely the address shown in the security-certificate warning matches the one you typed in.

If the only difference is a missing "www" in one of those places, you should be fine. If you know that the site recently changed its address and see its old domain name listed in the security certificate, you could also be fine. But it wouldn't hurt to take a moment to run a quick Web search along the lines of "[site's name] hacked?"

The best way to be sure of a site's identity is for it to use an "Extended Validation" security certificate, which will cause most browsers to highlight all or part of the address bar in a reassuring shade of green and display the company's name next to its Web address.